Hi, Does latest OSSEC has rules to catch the following brute force attacks? Just got hit w/ over 20,000 requests overnight by this korean hacker/spammer:
Dec 19 02:55:31 mail vpopmail[28761]: vchkpw-pop3: vpopmail user not found webadmin@:61.33.87.88 Dec 19 02:10:20 mail vpopmail[24587]: vchkpw-pop3: invalid user/domain characters hannah :61.33.87.88 If OSSEC doesn't have rules to deny the above, can anyone tell me how I can create a rule that would parse the /var/log/maillog to capture these w/ ossec active response and block them for 24 hrs? thx, SW
